b"MEMORANDUM\n\nTO            :       Judith A. Winston\n                      General Counsel\n                      Office of the General Counsel\n\nFROM          :       Mary Mitchelson\n                      Assistant Inspector General\n                      Analysis and Inspection Services\n\nSUBJECT       :       Results of the OIG Review of OGC\xe2\x80\x99s Internal Controls Over the\n                      Procurement of Goods and Services (A&I 2000-012)\n\n\nINTRODUCTION\n\nThis is our report of our review of the Office of the General Counsel\xe2\x80\x99s (OGC) internal\ncontrols over the procurement of goods and services. This review is part of our\nDepartment-wide review of this area. The Department\xe2\x80\x99s management is responsible for\nestablishing and maintaining internal controls. We will transmit the Department-wide\nresults to the Deputy Secretary with copies to the Assistant Secretaries and other senior\nstaff when we complete our review. On September 12, 2000, Office of Inspector General\n(OIG) staff met with you and your Executive Officer, Carolyn Adams, to discuss the\nresults of this review.\n\nRESULTS\n\nDuring our review in OGC, we identified instances of noncompliance with the Federal\nAcquisition Regulation (FAR) and current Department policies and procedures:\n\n\xc3\xbc Possible split procurements \xe2\x80\x93 We identified two acquisitions that appear to have been\n  split. One appears to have been split to avoid the cardholder\xe2\x80\x99s single purchase limit\n  and the other to avoid the micro-purchase threshold. The FAR prohibits the division\n  of an acquisition to \xe2\x80\x9cavoid any requirement that applies to purchases exceeding the\n  micro-purchase threshold.\xe2\x80\x9d\n\n\xc3\xbc Use of purchase cards by a non-cardholder \xe2\x80\x93 We were informed that purchase cards\n  were used by the Approving Official/Executive Officer, who is not a cardholder. The\n  Department\xe2\x80\x99s Directive on Commercial Credit Card Service states: \xe2\x80\x9cEach card has\n  the cardholder\xe2\x80\x99s name embossed on it and may be used only by that person. No one\n\x0c   else is authorized to use the card.\xe2\x80\x9d The Directive also states: \xe2\x80\x9cAn approving official\n   may not be a cardholder.\xe2\x80\x9d These restrictions are to ensure the proper use of purchase\n   cards.\n\nWe identified certain deficiencies, in addition to the instances of non-compliance\nidentified above, that prevent OGC from satisfying the General Accounting Office\xe2\x80\x99s\n(GAO) Standards for Internal Control in the Federal Government. For your information\nand corrective action, those deficiencies are listed in the attached chart (Attachment A).\nIn the future, we anticipate conducting a follow-up review to assess the actions you have\ntaken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OGC managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency, the Department designed a purchase card system\n  where cardholders can order, receive and approve payments for goods and services.\n  Consequently, as a control, the Department established approving officials to review\n  the use of purchase cards. Therefore, it is important that approving officials properly\n  review all cardholder statements, including invoices, before forwarding them to the\n  Office of the Chief Financial Officer for payment.\n\n\xc3\xbc Third Party Drafts (TPDs) \xe2\x80\x93 An individual with signature authority can issue TPDs\n  without the involvement of anyone else. Therefore, it is important that, at a\n  minimum, the supervisor of the individual with signature authority conduct periodic\n  reviews of drafts issued.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls to ensure compliance with laws\nand regulations for the procurement of goods and services other than studies or\nevaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters) using TPDs\nand purchase cards. We did not conduct testing on OGC\xe2\x80\x99s use of \xe2\x80\x9cCorporate\xe2\x80\x9d\nGovernment Travel Accounts. We conducted a cash count of OGC\xe2\x80\x99s Imprest fund. We\ndid not review individual transactions of the Imprest fund.\n\nMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OGC staff involved with the\nprocurement process, and we reviewed relevant documents. As part of our work, we\nreviewed samples of TPDs and purchase card transactions. For our review of TPDs, we\nselected a random sample of 20 TPDs issued between October 1998 through September\n1999 (FY 1999) and October 1999 through February 2000 (FY 2000). OGC has two\ncardholders. We judgmentally selected a sample of monthly purchase card statements\n\x0cdated between January 1999 and May 2000. Then we selected 25 transactions to review.\nWe also reviewed OGC\xe2\x80\x99s monthly purchase card statements that were in the Financial\nManagement Policies and Administrative Programs Group files for the months of\nSeptember 1999 and March 2000.\n\nWe based our conclusions about OGC's internal controls on information gathered during\nour interviews and transaction testing. We conducted our interviews and transaction\ntesting between May 11, 2000 and August 25, 2000. We assessed OGC's internal\ncontrols based on GAO's Standards for Internal Control in the Federal Government\nissued November 1999. Attachment B to this memorandum contains a summary of the\nGAO Standards. We conducted our work in accordance with the President's Council on\nIntegrity and Efficiency Quality Standards for Inspections dated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 260-3556.\n\n\nAttachments\n\n\ncc:    Deputy Secretary\n\x0c                                                                           Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exert a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n    \xc3\xbc Precondition \xe2\x80\x93 establishment of clear and consistent agency objectives.\n\n    \xc3\xbc Risk assessment \xe2\x80\x93 the comprehensive identification and analysis of relevant risks\n      associated with achieving agency objectives, like those defined in strategic and\n      GPRA annual performance plans, and forming a basis for determining how the\n      agency should manage risks.\n\n    \xc3\xbc Risk identification \xe2\x80\x93 methods may include qualitative and quantitative ranking\n      activities, management conferences, forecasting and strategic planning, and\n      consideration of findings from audits and other assessments.\n\n    \xc3\xbc Risk analysis \xe2\x80\x93 generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n      likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0cInternal Control Evaluation Form for the Office of the General Counsel                                          Attachment A\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Training \xe2\x80\x93 Cardholders are not inputting their own transactions into EDCAPS because they have not had\n                         sufficient training on EDCAPS.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 OGC procurement staff were not aware of any formal risk assessment\n                          procedures in the procurement area. In addition, the Executive Officer has not been significantly\n                          involved with the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) reporting process.\n                      \xe2\x80\xa2   Assignment of Risk Levels \xe2\x80\x93 The Executive Officer has been assigned a moderate risk level. Most\n                          Executive Officers in the Department have been assigned a high risk level.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, OGC has no written policies and procedures on the\n                          purchase card process.\n                      \xe2\x80\xa2   Non-Compliance \xe2\x80\x93 As mentioned in the cover memorandum, we were informed that purchase cards were\n                          used by the Executive Officer.\n                      \xe2\x80\xa2   Separation of Duties \xe2\x80\x93 In addition to periodically using the purchase cards, the Executive Officer inputs\n                          the purchase card transactions into EDCAPS. No one reviews that input.\n                      \xe2\x80\xa2   Purchase Cards \xe2\x80\x93 We reviewed the September 1999 and the March 2000 statements from OCFO files.\n                          Our purpose was to verify that OGC had submitted all its monthly card statements with activity to OCFO\n                          and that the approving official had signed the card statements to support OCFO\xe2\x80\x99s Department-wide\n                          payments. We also reviewed 25 judgmentally selected purchase card transactions.\n                          \xe2\x99\xa6 Approval of monthly purchase card statements:\n                             \xe2\x80\xa2 For September 1999, one card had activity. The statement for that card was in OCFO\xe2\x80\x99s files and\n                                 was signed by the approving official.\n                             \xe2\x80\xa2 For March 2000, both cards had activity. Statements for both cards were in OCFO files and were\n                                 signed by the approving official. However, neither card was signed by the cardholder.\n                             \xe2\x80\xa2 Of the 25 statements in OGC\xe2\x80\x99s files dated between January 1999 and May 2000, all were signed\n                                 by the approving official but only four were signed by the cardholders.\n\x0c                   \xe2\x99\xa6 Split Procurements \xe2\x80\x93 As mentioned in the cover memorandum, we identified two acquisitions that\n                       appear to have been split.\n                      \xe2\x80\xa2 One card statement had two charges of equal amounts on the same day to the same vendor for the\n                          same product. The total of the two charges would have exceeded the cardholder\xe2\x80\x99s single purchase\n                          limit. Both charges had the same EDCAPS transaction number.\n                      \xe2\x80\xa2 Another card statement had three charges of equal amounts on the same day to the same vendor.\n                          The three charges totaled $5080 which exceeds the micro-purchase threshold. All three charges\n                          had the same EDCAPS transaction number.\n                   \xe2\x99\xa6 Recordkeeping \xe2\x80\x93 The amount recorded in EDCAPS for both of the acquisitions that appear to have\n                       been split were in error. The amounts recorded in EDCAPS exceed the charges by $599 and $470,\n                       respectfully.\n                 \xe2\x80\xa2 Third Party Drafts (TPDs) \xe2\x80\x93 We reviewed 20 randomly selected TPDs.\n                   \xe2\x99\xa6 Date Stamping \xe2\x80\x93 None of the invoices were dated stamped upon receipt. The date of receipt is\n                      necessary to determine the payment due date under the Prompt Payment Act.\n                   \xe2\x99\xa6 Prompt Payment \xe2\x80\x93 Based on the due date noted on the invoice, one invoice was paid five days late.\n                   \xe2\x99\xa6 Overpayment \xe2\x80\x93 Payment to one vendor was miscalculated resulting in a $249.25 overpayment.\n                      While we were conducting our review, OGC requested a refund of the overpayment.\n                   \xe2\x99\xa6 Prepayment \xe2\x80\x93 OGC prepaid one vendor $350.35.\n                   \xe2\x99\xa6 Documentation \xe2\x80\x93 One invoice for $54 was missing.\n                 \xe2\x80\xa2 Imprest Fund:\n                   \xe2\x99\xa6 The cash on hand was $127.05 and $5 in metro fare cards. The balance listed in the records of the\n                      fund was $113.73. We were unable to reconcile the difference.\n                   \xe2\x99\xa6 OGC had no written policies and procedures regarding the Imprest fund.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 One of the cardholders had heard of the Department\xe2\x80\x99s Directive\nCommunications       on Commercial Credit Card Service; the other had not.\n\nMonitoring       On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDs does not perform\n                 periodic reviews of the drafts issued by OGC.\n\x0c"